Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!news.ecn.uoknor.edu!feed1.news.erols.com!howland.erols.net!news-peer.sprintlink.net!news.sprintlink.net!sprint!uunet!in2.uu.net!128.138.240.25!boulder!rintintin.Colorado.EDU!fcrary From: fcrary@rintintin.Colorado.EDU (Frank Crary) Newsgroups: comp.unix.bsd.freebsd.misc Subject: Re: Help with a.out Date: 21 Apr 1997 03:23:49 GMT Organization: University of Colorado, Boulder Lines: 58 Message-ID: <5jemk5$kdn@lace.colorado.edu> References: <3355973C.429F@charlotte.infi.net> <5jdd6t$ndu@lace.colorado.edu> <86g1wlk6nx.fsf@pro200.farmer.org> NNTP-Posting-Host: rintintin.colorado.edu NNTP-Posting-User: fcrary Xref: euryale.cc.adfa.oz.au comp.unix.bsd.freebsd.misc:39421 In article <86g1wlk6nx.fsf@pro200.farmer.org>, Steven L. Farmer <slfarmer@swbell.net> wrote: >> I hit the same problem. Unix looks for executables in the directories >> defined by the $PATH environment variable, and for some reason the >> current directory is not part of the default $PATH in FreeBSD (or >> at least not as of 2.1.5). You can fix that by editing your .cshrc file. >> Originally, mine had a line reading >> set path = ( [usual paths]) >> by changing that to >> set path = (. [usual paths]) > This is generally regarded to be a Bad Thing, since it opens the >(barn?) door to Trojan Horses. Good point. In my case, I have no network connections unless I run the user prompt ppp command, so this isn't a problem. But I need to remember to change things when I (eventually) set up better connections. (And not to suggest this to other people without mentioning the security problem...) However, I find that a large number of Unix machines, in particular those at research institutions, but the dot in the default PATH variable. This seems like a very bad idea, and someone should yell at their system administrators... >...If you *must* add dot to your path, adding it to the start >is the worst possible choice. Add it to the end instead, or at least >following all of the normal "system" directories. That's also a good point, but I think the advantages are subtle enough that they should be stated in more detail. The advantage, as I understand it, is that all the other directories would be checked first, and if the name was found, the machine would run the real program, not the Trojan Horse in the current directory. That would make it harder to hide a Trojan Horse. E.g. if someone put one in my home directory, called it "elm" and ran it, with a dot at the beginning of my PATH variable, it would show up on "ps", "top", etc. as fcrary running elm. Someone seeing that would think, "Frank's checking his mail" or, if the process had been running for a long time, "Frank forgot to quit after checking his mail." If the dot were at the end of my PATH, the system would find the real elm first, and run that. So the Trojan Horse would have to use an unusual name, and one that would not be easily identified. But I don't see this as a major issue: a.out would not be a suspicious process, and ./elm would show up as elm. If there is more to the location of the dot than this, I'd like to know about it. Frank Crary CU Boulder PS: I suspect someone's going to be upset about this. I've just described in detail how someone could hide a Trojan Horse, publicly. You could say that I'm giving criminals an idea about how to avoid getting caught. I disagree for two reasons. First, publicly describing security problems is the best way to avoid them. It lets people know how and why the problem exists and that's the start of solving the problem. Second, I doubt there are many people capable of introducing a Trojan Horse who haven't figured these tricks out. FJC